Re: OpenPGP card or USB dongle uTrust stopped working
El día martes, junio 18, 2024 a las 05:00:06p. m. +0200, Matthias Apitz escribió: > El día martes, junio 18, 2024 a las 02:51:36 +0200, Matthias Apitz escribió: > > > You remember correctly, but the size in the L5 is smaller (nano, I > > think). > > > > I used the easy way to check if the culprit is the card or the token: I > ordered a new card :-) The new card arrived and first did not worked either with gpg2 --card-status Then I realized that the token is a bit open where the card is sitting, i.e. the two parts of the token are not attached firmly and perhaps the card has not enough contact. When I press the two parts together, it works and I can uncrypt passwords. I will order a new uTrust token. Thread closed matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card or USB dongle uTrust stopped working
El día martes, junio 18, 2024 a las 02:51:36 +0200, Matthias Apitz escribió: > You remember correctly, but the size in the L5 is smaller (nano, I > think). > I used the easy way to check if the culprit is the card or the token: I ordered a new card :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card or USB dongle uTrust stopped working
El día martes, junio 18, 2024 a las 08:34:36 -0400, Henning Follmann escribió: > On Tue, Jun 18, 2024 at 01:30:13PM +0200, Matthias Apitz wrote: > > > > ... > > > > How can I detect if the problem is the SIM-card or the USB dongle? The > > problem is in both USB ports of my laptop, that's why I would say, the > > ports are fine. > > > > Petra (i...@floss-shop.de), do you have in FLOSS-shop tools to test such > > a card? I could send it over to you. > > > > ... > Hello, > if I remember correctly you do have a Librem 5. > By any chance the card reader in there is the same size? Hello, You remember correctly, but the size in the L5 is smaller (nano, I think). matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card or USB dongle uTrust stopped working
On Tue, Jun 18, 2024 at 01:30:13PM +0200, Matthias Apitz wrote: > > Hello, > > I do use since "ages" an OpenPGP card in an USB dongle "uTrust 3512" > with GnuPG, mostly for the password-store. Today, from one minute to the > other it stopped working. On attach the uTrust shows up fine in > /var/log/messages with: > > Jun 18 13:08:52 c720-1400094 kernel: ugen0.4: Token> at usbus0 > > but when I access the card, the message is: > > $ gpg2 --card-status > gpg: selecting card failed: Operation not supported by device > gpg: OpenPGP card not available: Operation not supported by device > > and the LEDs on the dongle keep flickering for some seconds (even after > the message is already printed). > > How can I detect if the problem is the SIM-card or the USB dongle? The > problem is in both USB ports of my laptop, that's why I would say, the > ports are fine. > > Petra (i...@floss-shop.de), do you have in FLOSS-shop tools to test such > a card? I could send it over to you. > > The situation is not very problematic because I have the same > passord-store in two mobile cellphones with OpenPGP cards too. > > Thanks > > matthias > Hello, if I remember correctly you do have a Librem 5. By any chance the card reader in there is the same size? -H -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card or USB dongle uTrust stopped working
Hello, I do use since "ages" an OpenPGP card in an USB dongle "uTrust 3512" with GnuPG, mostly for the password-store. Today, from one minute to the other it stopped working. On attach the uTrust shows up fine in /var/log/messages with: Jun 18 13:08:52 c720-1400094 kernel: ugen0.4: at usbus0 but when I access the card, the message is: $ gpg2 --card-status gpg: selecting card failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device and the LEDs on the dongle keep flickering for some seconds (even after the message is already printed). How can I detect if the problem is the SIM-card or the USB dongle? The problem is in both USB ports of my laptop, that's why I would say, the ports are fine. Petra (i...@floss-shop.de), do you have in FLOSS-shop tools to test such a card? I could send it over to you. The situation is not very problematic because I have the same passord-store in two mobile cellphones with OpenPGP cards too. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día viernes, mayo 17, 2024 a las 01:39:55 +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > This isn't that easy. The pcscd is running (when needed) as: > > > > purism@pureos:~$ ps ax | grep pcscd > >2151 ?Ssl0:00 /usr/sbin/pcscd --foreground --auto-exit > > > > it is launched by a system service: > > I see. IIUC, PureOS is Debian based. There should be a file for systemd > as /lib/systemd/system/pcscd.service. Its content is something like: > ... I did it already with editing/creating the files and commands below. Putting '--debug' in an variable with Environment= as your hint is far more elegant and would remove the service override.conf method. The output went to /var/log/syslog, some 10.000 lines of one PIN request. I haven't found time to study them. matthias /lib/systemd/system/pcscd.service: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" ExecStart=/usr/sbin/pcscd --foreground --auto-exit ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /etc/systemd/system/pcscd.service.d/override.conf: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" # ExecStart=/usr/sbin/pcscd --foreground --auto-exit --debug ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /usr/lib/systemd/system/pcscd.service.d/librem5.conf: [Service] Environment="LIBCCID_ifdLogLevel=0x" ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 5" ExecStopPost=/bin/bash -c "echo 0 > /sys/class/leds/smc_en/brightness" StandardOutput=syslog StandardError=syslog systemctl stop pcscd.service systemctl daemon-reload systemctl start pcscd.service -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
Hello, Matthias Apitz wrote: > This isn't that easy. The pcscd is running (when needed) as: > > purism@pureos:~$ ps ax | grep pcscd >2151 ?Ssl0:00 /usr/sbin/pcscd --foreground --auto-exit > > it is launched by a system service: I see. IIUC, PureOS is Debian based. There should be a file for systemd as /lib/systemd/system/pcscd.service. Its content is something like: == [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS ExecReload=/usr/sbin/pcscd --hotplug EnvironmentFile=-/etc/default/pcscd [Install] Also=pcscd.socket == Then, to debug PC/SC service, you can have a file /etc/default/pcscd with: == PCSCD_ARGS=--debug LIBCCID_ifdLogLevel=0x == Kill pcscd by systemctl, if any. Kill the scdaemon by: $ gpgconf --kill scdaemon And then, when you try to access OpenPGP card by SSH or GnuPG, gpg-agent invokes scdaemon, scdaemon tries to access PC/SC service, pcscd is invoked by socket activation with systemd. You can see the debug log by journalctl. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día jueves, mayo 16, 2024 a las 04:09:44 +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > It seems that the first time is longer. I will increase the debug-level > > for scdaemon. > > Thank you for the information. I think that it's better to debug how > PC/SC goes. > > To get full debug log in lower level, you can invoke pcscd manually with > root: > > # LIBCCID_ifdLogLevel=0x pcscd -f --debug This isn't that easy. The pcscd is running (when needed) as: purism@pureos:~$ ps ax | grep pcscd 2151 ?Ssl0:00 /usr/sbin/pcscd --foreground --auto-exit it is launched by a system service: root@pureos:/home/purism# systemctl status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor pres> Drop-In: /usr/lib/systemd/system/pcscd.service.d └─librem5.conf Active: active (running) since Thu 2024-05-16 10:02:44 CEST; 12s ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Process: 27601 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Process: 27602 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Main PID: 27603 (pcscd) Tasks: 5 (limit: 3015) Memory: 752.0K CPU: 303ms CGroup: /system.slice/pcscd.service └─27603 /usr/sbin/pcscd --foreground --auto-exit I killed a running pcscd and started it as root as you say, but this make gpg-agent failing to communicate. I have to figure out how to set your env var LIBCCID_ifdLogLevel=0x and to where the debug log of pcscd goes in this case. This will take a while matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
Hello, Matthias Apitz wrote: > It seems that the first time is longer. I will increase the debug-level > for scdaemon. Thank you for the information. I think that it's better to debug how PC/SC goes. To get full debug log in lower level, you can invoke pcscd manually with root: # LIBCCID_ifdLogLevel=0x pcscd -f --debug -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
Hello, I wonder if it taks always 8-9 secs, or it's only for the first time. Matthias Apitz wrote: > /tmp/scdaemon-debug.log: [...] > 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO > > It takes 8 secs until scdaemon detects the reader, waht does this maen? > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > Reader 00 00' > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > Reader 00 01' The scdaemon dynamically loads PC/SC shared library and asks PC/SC service for available card readers. PC/SC service is invoked, if not there. Then, PC/SC service dynamically loads serial driver (libccidtwin.so). And it's the serial driver which accesses the card access chip (IIUC, it's STM32L4xx). That's what is going on. But 8 seconds are too much. Something is going wrong... -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día jueves, mayo 16, 2024 a las 03:00:52 +0900, NIIBE Yutaka escribió: > Hello, > > I wonder if it taks always 8-9 secs, or it's only for the first time. > > Matthias Apitz wrote: > > /tmp/scdaemon-debug.log: > [...] > > 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO > > > > It takes 8 secs until scdaemon detects the reader, waht does this maen? > > > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > > Reader 00 00' > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > > Reader 00 01' > > The scdaemon dynamically loads PC/SC shared library and asks PC/SC > service for available card readers. PC/SC service is invoked, if not > there. Then, PC/SC service dynamically loads serial driver > (libccidtwin.so). And it's the serial driver which accesses the card > access chip (IIUC, it's STM32L4xx). That's what is going on. > > But 8 seconds are too much. Something is going wrong... purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:10:56 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:11 AM CEST 15 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:22 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:30 AM CEST 8 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:42 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:49 AM CEST 7 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:12:33 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:12:41 AM CEST 8 secs (~4-5 of them to enter the PIN) It seems that the first time is longer. I will increase the debug-level for scdaemon. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
Hello, I'm using an OpenPGP card in my cellphone Puris L5 for GnuPG actions (password-store, SSH, ...). It mostly takes some 8-9 seconds until the PIN entry dialog pops up. I enabled debug log for the gpg-agent and the scdaemon, see below, and the time is consumed by the scdaemon waitinng for something. What does this mean? matthias /tmp/gpg-agent-debug.log: 2024-05-15 10:55:09 gpg-agent[2565] DBG: chan_11 -> BYE 2024-05-15 11:07:58 gpg-agent[2565] ssh handler 0xb17ff1e0 for fd 10 started 2024-05-15 11:07:58 gpg-agent[2565] ssh request handler for request_identities (11) started 2024-05-15 11:07:58 gpg-agent[2565] no running SCdaemon - starting it 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 gpg-agent[2565] DBG: first connection to SCdaemon established 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> GETINFO socket_name 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> OPTION event-signal=12 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> SERIALNO it takes 8-9 secs to get the card's SERIALNO from the scdaemon 2024-05-15 11:08:07 gpg-agent[2565] DBG: chan_11 <- S SERIALNO D2760001240103040005A6FE ... /tmp/scdaemon-debug.log: 2024-05-15 11:07:58 scdaemon[16983] listening on socket '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 scdaemon[16983] handler for fd -1 started 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- GETINFO socket_name 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- OPTION event-signal=12 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO It takes 8 secs until scdaemon detects the reader, waht does this maen? 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 00' 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 01' 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: not connected 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: active protocol: T1 2024-05-15 11:08:06 scdaemon[16983] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C 2024-05-15 11:08:06 scdaemon[16983] AID: D2 76 00 01 24 01 03 04 00 05 00 00 A6 FE 00 00 2024-05-15 11:08:06 scdaemon[16983] Historical Bytes: 00 31 F5 73 C0 01 60 05 90 00 2024-05-15 11:08:06 scdaemon[16983] Version-2+ .: yes ... -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setup of OpenPGP card not asking for keysize
On Sun, 12 May 2024 15:22, Matthias Apitz said: > I did a factory reset and changed the keylength with the subcommand > 'key-attr' to 4096. All fine and one must be patient as the key > 'generate' takes significantly longer. That's why I always suggest to use ECC instead of RSA on smartcards. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setup of OpenPGP card not asking for keysize
I did a factory reset and changed the keylength with the subcommand 'key-attr' to 4096. All fine and one must be patient as the key 'generate' takes significantly longer. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
setup of OpenPGP card not asking for keysize
Hello, I'm setting up a new OpenPGP card I've got from Purism for my second mobile L5. During the key generation it is not asking for the length of the key 2024 or 4096 bits. The status is: purism@pureos:~$ gpg --card-status Reader ...: L5 built-in SmartCard Reader 00 00 Application ID ...: D2760001240103040005CF41 Application type .: OpenPGP Version ..: 3.4 Manufacturer .: ZeitControl Serial number : CF41 Name of cardholder: [not set] Language prefs ...: de Salutation ...: URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ..: off Signature key : 0880 352D F31B 5AED 8E90 FC5B 0650 0BB7 D65F 4BE3 created : 2024-05-11 15:18:52 Encryption key: 3E6E 4F1D 541F 9BD8 CEF7 C01C EE22 0666 1921 411A created : 2024-05-11 15:18:52 Authentication key: 1274 5D73 CDA7 69B5 979D 2FE9 5E3B 2EB2 1466 6396 created : 2024-05-11 15:18:52 General key info..: pub rsa2048/06500BB7D65F4BE3 2024-05-11 Matthias Apitz (OpenPGP card) sec> rsa2048/06500BB7D65F4BE3 created: 2024-05-11 expires: never card-no: 0005 CF41 ssb> rsa2048/5E3B2EB214666396 created: 2024-05-11 expires: never card-no: 0005 CF41 ssb> rsa2048/EE2206661921411A created: 2024-05-11 expires: never card-no: 0005 CF41 I can do 'generate' again because the keys are still no in use. Older cards in the dialog were asking (as my write-ups show): ... What keysize do you want for the Signature key? (2048) 4096 The card will now be re-configured to generate a key of 4096 bits ... How can i force keysize 4094? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card not available
On Tue, Apr 09, 2024 at 12:11:31PM +0200, Werner Koch wrote: > By default we are not using PC/SC on Linux but direct access to the > reader via USB. Now if pcscd is already running and has access to the > reader scdaemon won't be able to access the reader via USB. > > 2.2 falls back to PC/SC if it can't use the reader via USB. That explains the difference it nicely. > Either shutdown pcscd or add > > disable-ccid-driver > > to ~/.gnupg/scdaemon.conf Shutting down pcscd fixed it! But I have other software that needs pcscd to access the card, so I added "disable-ccid" to scdaemon.conf and gpg now works even though pcscd is running. Thanks for the help. Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card not available
Running "gpg --card-status" with a configured Yubikey plugged in on an x86_64 Linux machine just gives me these errors when running 2.4.5: gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device However, leaving everything else the same and just running 2.2.42 (& earlier 2.2.x) gives me the output I'd expect with that command. I've tried some of the advice I've found of adding "reader-port Yubico Yubi" and "pcsc-shared" to scdaemon.conf didn't make a difference. Enabling some scdaemon logging shows this interesting bit in the log file: 2024-04-08 16:45:28 scdaemon[62168] DBG: chan_7 <- SERIALNO 2024-04-08 16:45:28 scdaemon[62168] DBG: apdu_open_reader: BAI=70202 2024-04-08 16:45:28 scdaemon[62168] DBG: apdu_open_reader: new device=70202 2024-04-08 16:45:28 scdaemon[62168] ccid open error: skip 2024-04-08 16:45:28 scdaemon[62168] DBG: chan_7 -> ERR 100696144 No such device With 2.2.42, I see this (with an actual serial number) and all works well: 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 <- SERIALNO 2024-04-08 16:38:43 scdaemon[36563] DBG: apdu_open_reader: BAI=70202 2024-04-08 16:38:43 scdaemon[36563] DBG: apdu_open_reader: new device=70202 2024-04-08 16:38:43 scdaemon[36563] ccid open error: skip 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 -> S SERIALNO D000 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 -> OK ... Running "echo SERIALNO | scd/scdaemon --server" is enough. I've tried both pcsc-lite 1.9.9 and 2.0.3 without a difference. I'm not sure how to drill down to figure out further to figure out what else could be causing the failure. One obvious difference is that the working version is linked against libpthread.so.0 but the failing one is linked against libnpth.so.0, but that seems to have to do with locking which I wouldn't expect to make difference with a simple local test. I was hoping to bisect to the problem except that the 2.3 and 2.4 branches fail at their .0 versions. Does someone have a suggestion to debug further? Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card not available
On Mon, 8 Apr 2024 21:50, Dan Fandrich said: > Running "echo SERIALNO | scd/scdaemon --server" is enough. I've tried both > pcsc-lite 1.9.9 and 2.0.3 without a difference. I'm not sure how to drill By default we are not using PC/SC on Linux but direct access to the reader via USB. Now if pcscd is already running and has access to the reader scdaemon won't be able to access the reader via USB. 2.2 falls back to PC/SC if it can't use the reader via USB. Either shutdown pcscd or add disable-ccid-driver to ~/.gnupg/scdaemon.conf More debug output can be logged by adding debug cardio debug-ccid-reader Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card not available
Running "gpg --card-status" with a configured Yubikey plugged in on an x86_64 Linux machine just gives me these errors when running 2.4.5: gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device However, leaving everything else the same and just running 2.2.42 (& earlier 2.2.x) gives me the output I'd expect with that command. I've tried some of the advice I've found of adding "reader-port Yubico Yubi" and "pcsc-shared" to scdaemon.conf didn't make a difference. Enabling some scdaemon logging shows this interesting bit in the log file: 2024-04-08 16:45:28 scdaemon[62168] DBG: chan_7 <- SERIALNO 2024-04-08 16:45:28 scdaemon[62168] DBG: apdu_open_reader: BAI=70202 2024-04-08 16:45:28 scdaemon[62168] DBG: apdu_open_reader: new device=70202 2024-04-08 16:45:28 scdaemon[62168] ccid open error: skip 2024-04-08 16:45:28 scdaemon[62168] DBG: chan_7 -> ERR 100696144 No such device With 2.2.42, I see this (with an actual serial number) and all works well: 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 <- SERIALNO 2024-04-08 16:38:43 scdaemon[36563] DBG: apdu_open_reader: BAI=70202 2024-04-08 16:38:43 scdaemon[36563] DBG: apdu_open_reader: new device=70202 2024-04-08 16:38:43 scdaemon[36563] ccid open error: skip 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 -> S SERIALNO D000 2024-04-08 16:38:43 scdaemon[36563] DBG: chan_7 -> OK ... Running "echo SERIALNO | scd/scdaemon --server" is enough. I've tried both pcsc-lite 1.9.9 and 2.0.3 without a difference. I'm not sure how to drill down to figure out further to figure out what else could be causing the failure. One obvious difference is that the working version is linked against libpthread.so.0 but the failing one is linked against libnpth.so.0, but that seems to have to do with locking which I wouldn't expect to make difference with a simple local test. I was hoping to bisect to the problem except that the 2.3 and 2.4 branches fail at their .0 versions. Does someone have a suggestion to debug further? Dan ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, 1 Mar 2024 21:56, Daniel Kahn Gillmor said: > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but Simply prefix the fingerprint with 0x and gpg will only consider fingerprints. RTFM. You know that very well given that you are the person who was so keen to be able to maintain a "curated" keyring. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri, Mar 1, 2024 at 8:57 PM Daniel Kahn Gillmor via Gnupg-users wrote: > I agree with you that it's nice to refer to people by human-memorable > names. I just wish it was safe to do so. I would consider it is safe to do so. It is in fact mostly the entire purpose of GPG to identify the correct certificates to send messages for you. If PGP did not choose the certificate for you, then it would just be Openssl; I.e. it would not be useful for the very purpose of the software. > > Calling this a risky implementation choice of GnuPG is ridiculous. > Is it really ridiculous? It seems factual to me. Note that I'm not It is not factual. > For example, GnuPG could instead offer an interface with explicit > options to allow the user to choose to match certificates by > fingerprint, or by e-mail address, or by name, or by full User ID, but > not a mishmash of all of the above. No.. either you trust the authenticity of the certificate, including the Email address, Name, and Full User IDs, or you don't. If you trust the certificate, then it should be safe to match it based on all the attributes. If you own a certificate that should no longer be trusted, then you should revoke it. Trust is determined based on the chain of Certificate signatures, and the contents of your Key storage indicating which certificate signers you trust. If your Public Key storage is compromised so that is configured to Trust certificates you should not, then so is that whole PGP installation. The Unsafe condition would be allowing yourself to have Public key storage containing certificates or signers you should not trust marked trusted. > > If anything then it's a risky implementation choice of pass to allow > > using anything other than a fingerprint in ~/.password-store/.gpg-id. Pass isn't part of GPG, so who knows whether what they are doing is safe or not. I would say inputting a full Key ID or e-mail address is safe enough. If your GPG Installation is so badly damaged that you have Incorrect keys marked trusted in your public key storage, then you should consider your whole software installation compromised. Software with a compromised installation (damaged binaries or config) would be inherently unsafe to use -- -J ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Fri 2024-03-01 17:06:09 +0100, Ingo Klöcker wrote: > On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: >> human-readable names for certificates. But i don't see how to use that >> safely while dealing with GnuPG's risky implementation choices here. > > Allowing recipients to be specified by email address (or some other > part of a user ID) was inherited from PGP. And I guess it's part of > the reason for the success of PGP (and GnuPG) that one could specify > keys of recipients by email addresses instead of by hard to remember > key IDs (when those could still be considered unique) or by impossible > to remember fingerprints (or by file name as sequoia-pgp seems to > prefer). I agree with you that it's nice to refer to people by human-memorable names. I just wish it was safe to do so. > Calling this a risky implementation choice of GnuPG is ridiculous. Is it really ridiculous? It seems factual to me. Note that I'm not saying GnuPG is the only one to make such an implementation choice, but I really do think it's risky. For example, GnuPG could instead offer an interface with explicit options to allow the user to choose to match certificates by fingerprint, or by e-mail address, or by name, or by full User ID, but not a mishmash of all of the above. > If anything then it's a risky implementation choice of pass to allow > using anything other than a fingerprint in ~/.password-store/.gpg-id. I agree, that's risky too! But as you say above (and as the message that i sent, but which doesn't appear to have been delivered to the list, also said), it's an understandable urge to want to use human-readable names. It seems totally reasonable to put my own own name there, for example! who knew that it could cause problems‽ Anyway, for `pass` to restrict the contents of .gpg-id to being a fingerprint, the GnuPG API(?) requires `pass` to know exactly how to match a fingerprint so that GnuPG also is also guaranteed to treat it as a fingerprint. If a new version of GnuPG ever accepts other forms of fingerprint, or requires a different form, then pass would need to be updated to match the new expectations. That seems clumsy, and likely to lead to upgrade friction down the line. I agree with you that these kinds of tools should let the user do the sort of things that users generally want to do. The tools should also let them do those things safely by default, and without confusion. --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: On the security of ~/.password-store/.gpg-id [was: Re: Second OpenPGP-card]
On Donnerstag, 29. Februar 2024 21:21:42 CET Daniel Kahn Gillmor wrote: > human-readable names for certificates. But i don't see how to use that > safely while dealing with GnuPG's risky implementation choices here. Allowing recipients to be specified by email address (or some other part of a user ID) was inherited from PGP. And I guess it's part of the reason for the success of PGP (and GnuPG) that one could specify keys of recipients by email addresses instead of by hard to remember key IDs (when those could still be considered unique) or by impossible to remember fingerprints (or by file name as sequoia-pgp seems to prefer). Calling this a risky implementation choice of GnuPG is ridiculous. If anything then it's a risky implementation choice of pass to allow using anything other than a fingerprint in ~/.password-store/.gpg-id. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día jueves, febrero 29, 2024 a las 01:40:53 +0100, Ingo Klöcker escribió: > "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If > I > add a (secondary) user ID "CCID L5" to my key and trick Matthias into > importing it won't pass start encrypting their passwords for my key? > > My ~/.password-store/.gpg-id contains the fingerprint of my password > encryption > key. Mine too now: purism@pureos:~$ gpg --list-keys --fingerprint /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] purism@pureos:~$ cat .password-store/.gpg-id 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 Thanks for this hint. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Mittwoch, 28. Februar 2024 17:30:21 CET Werner Koch via Gnupg-users wrote: > On Wed, 28 Feb 2024 10:55, Matthias Apitz said: > > purism@pureos:~$ cat .password-store/.gpg-id > > CCID L5 > > Which means that it encrypts to "CCID L5". pass parses this using > > while read -r gpg_id; do > gpg_id="${gpg_id%%#*}" # strip comment > [[ -n $gpg_id ]] || continue > GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) > GPG_RECIPIENTS+=( "$gpg_id" ) > done > > The good thing with pass is that it is easy to read. "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I add a (secondary) user ID "CCID L5" to my key and trick Matthias into importing it won't pass start encrypting their passwords for my key? My ~/.password-store/.gpg-id contains the fingerprint of my password encryption key. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 17:41, Jacob Bachmeyer said: > As Werner mentioned, you can also have different .gpg-id files for > different parts of your password store, if you wanted some passwords > to only be available with certain smartcards. FWIW: The C3S uses pass for their teams and meik wrote a script to manage such a password store: https://github.com/C3S/passtore Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 17:40, Jacob Bachmeyer said: > Or even Windows, which remains disturbingly common in applications > that probably need far less attack surface, like industrial control > systems... (Is the stupidity of management a main driver of Shamir's > law?) Often true but the real problem is software complexity. Also: developers are being paid for their work and thus they tend to keep themself in business by requiring software changes all the time. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Matthias Apitz wrote: El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 That .gpg-id file would be the list I was talking about. It seems that pass(1) stores the actual keys on your main GPG keyring, but keeps a list of /which/ keys should be able to decrypt passwords separately. (Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in your environment: if set, it overrides the search for a .gpg-id file.) There is also a facility for maintaining GPG signatures on those .gpg-id files, which would make sneaking in Mallory's key far more difficult if you were to use it. I suspect that the pass(1) manpage has more information and may be interesting reading. Overall, this seems to be a good design. I would also suggest using the key fingerprints instead of names when you reencrypt your password store, as I suspect that your new and old smartcard keys may have similar names. As Werner mentioned, you can also have different .gpg-id files for different parts of your password store, if you wanted some passwords to only be available with certain smartcards. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Werner Koch wrote: On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: [...] logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. Agreed; I was not endorsing that position, but I see that I should have said "apparently considered" to make that a bit more clear. I trust that GPG will continue to support the shorter RSA keys for the foreseeable future. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Or even Windows, which remains disturbingly common in applications that probably need far less attack surface, like industrial control systems... (Is the stupidity of management a main driver of Shamir's law?) -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Wed, 28 Feb 2024 10:55, Matthias Apitz said: > purism@pureos:~$ cat .password-store/.gpg-id > CCID L5 Which means that it encrypts to "CCID L5". pass parses this using while read -r gpg_id; do gpg_id="${gpg_id%%#*}" # strip comment [[ -n $gpg_id ]] || continue GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) GPG_RECIPIENTS+=( "$gpg_id" ) done The good thing with pass is that it is easy to read. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > > Therefore, pass(1) almost certainly has its own list of keys stored > > pass stores the fingerprints of the keys in a .gpg-id file and allows to > set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. > logarithm problem and /vice versa/. Accordingly, RSA1024 is now > considered sufficiently dubious that some implementations no longer > support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
al passfile="$PREFIX/$path.gpg" set_git "$passfile" [[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?" read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom) [[ ${#pass} -eq $length ]] || die "Could not generate password from /dev/urandom." if [[ $inplace -eq 0 ]]; then echo "$pass" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." else local passfile_temp="${passfile}.tmp.${RANDOM}.${RANDOM}.${RANDOM}.${RANDOM}.--" if { echo "$pass"; $GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +2; } | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile_temp" "${GPG_OPTS[@]}"; then mv "$passfile_temp" "$passfile" else rm -f "$passfile_temp" die "Could not reencrypt new password." fi fi local verb="Add" [[ $inplace -eq 1 ]] && verb="Replace" git_add_file "$passfile" "$verb generated password for ${path}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" elif [[ $qrcode -eq 1 ]]; then qrcode "$pass" "$path" else printf "\e[1mThe generated password for \e[4m%s\e[24m is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass" fi } cmd_delete() { local opts recursive="" force=0 opts="$($GETOPT -o rf -l recursive,force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -r|--recursive) recursive="-r"; shift ;; -f|--force) force=1; shift ;; --) shift; break ;; esac done [[ $# -ne 1 ]] && die "Usage: $PROGRAM $COMMAND [--recursive,-r] [--force,-f] pass-name" local path="$1" check_sneaky_paths "$path" local passdir="$PREFIX/${path%/}" local passfile="$PREFIX/$path.gpg" [[ -f $passfile && -d $passdir && $path == */ || ! -f $passfile ]] && passfile="${passdir%/}/" [[ -e $passfile ]] || die "Error: $path is not in the password store." set_git "$passfile" [[ $force -eq 1 ]] || yesno "Are you sure you would like to delete $path?" rm $recursive -f -v "$passfile" set_git "$passfile" if [[ -n $INNER_GIT_DIR && ! -e $passfile ]]; then git -C "$INNER_GIT_DIR" rm -qr "$passfile" set_git "$passfile" git_commit "Remove $path from store." fi rmdir -p "${passfile%/*}" 2>/dev/null } cmd_copy_move() { local opts move=1 force=0 [[ $1 == "copy" ]] && move=0 shift opts="$($GETOPT -o f -l force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -f|--force) force=1; shift ;; --) shift; break ;; esac done [[ $# -ne 2 ]] && die "Usage: $PROGRAM $COMMAND [--force,-f] old-path new-path" check_sneaky_paths "$@" local old_path="$PREFIX/${1%/}" local old_dir="$old_path" local new_path="$PREFIX/$2" if ! [[ -f $old_path.gpg && -d $old_path && $1 == */ || ! -f $old_path.gpg ]]; then old_dir="${old_path%/*}" old_path="${old_path}.gpg" fi echo "$old_path" [[ -e $old_path ]] || die "Error: $1 is not in the password store." mkdir -p -v "${new_path%/*}" [[ -d $old_path || -d $new_path || $new_path == */ ]] || new_path="${new_path}.gpg" local interactive="-i" [[ ! -t 0 || $force -eq 1 ]] && interactive="-f" set_git "$new_path" if [[ $move -eq 1 ]]; then mv $interactive -v "$old_path" "$new_path" || exit 1 [[ -e "$new_path" ]] && reencrypt_path "$new_path" set_git "$new_path" if [[ -n $INNER_GIT_DIR && ! -e $old_path ]]; then git -C "$INNER_GIT_DIR" rm -qr "$old_path" 2>/dev/null set_git "$new_path" git_add_file "$new_path" "Rename ${1} to ${2}." fi set_git "$old_path" if [[ -n $INNER_GIT_DIR && ! -e $old_path ]]; then git -C "$INNER_GIT_DIR" rm -qr "$old_path" 2>/dev/null set_git "$old_path" [[ -n $(git -C "$INNER_GIT_DIR" status --porcelain "$old_path") ]] && git_commit "Remove ${1}." fi rmdir -p "$old_dir" 2>/dev/null else cp $interactive -r -v "$old_path" "$new_path" || exit 1 [[ -e "$new_path" ]] && reencrypt_path "$new_path" git_add_file "$new_path" "Copy ${1} to ${2}." fi } cmd_git() { set_git "$PREFIX/" if [[ $1 == "init" ]]; then INNER_GIT_DIR="$PREFIX" git -C "$INNER_GIT_DIR" "$@" || exit 1 git_add_file "$PREFIX" "Add current contents of password store." echo '*.gpg diff=gpg' > "$PREFIX/.gitattributes" git_add_file .gitattributes "Configure git repository for gpg file diff." git -C "$INNER_GIT_DIR" config --local diff.gpg.binary true git -C "$INNER_GIT_DIR" config --local diff.gpg.textconv "$GPG -d ${GPG_OPTS[*]}" elif [[ -n $INNER_GIT_DIR ]]; then tmpdir nowarn #Defines $SECURE_TMPDIR. We don't warn, because at most, this only copies encrypted files. export TMPDIR="$SECURE_TMPDIR" git -C "$INNER_GIT_DIR" "$@" else die "Error: the password store is not a git repository. Try \"$PROGRAM git init\"." fi } cmd_extension_or_show() { if ! cmd_extension "$@"; then COMMAND="show" cmd_show "$@" fi } SYSTEM_EXTENSION_DIR="/usr/lib/password-store/extensions" cmd_extension() { check_sneaky_paths "$1" local user_extension system_extension extension [[ -n $SYSTEM_EXTENSION_DIR ]] && system_extension="$SYSTEM_EXTENSION_DIR/$1.bash" [[ $PASSWORD_STORE_ENABLE_EXTENSIONS == true ]] && user_extension="$EXTENSIONS/$1.bash" if [[ -n $user_extension && -f $user_extension && -x $user_extension ]]; then verify_file "$user_extension" extension="$user_extension" elif [[ -n $system_extension && -f $system_extension && -x $system_extension ]]; then extension="$system_extension" else return 1 fi shift source "$extension" "$@" return 0 } # # END subcommand functions # PROGRAM="${0##*/}" COMMAND="$1" case "$1" in init) shift;cmd_init "$@" ;; help|--help) shift; cmd_usage "$@" ;; version|--version) shift; cmd_version "$@" ;; show|ls|list) shift;cmd_show "$@" ;; find|search) shift; cmd_find "$@" ;; grep) shift;cmd_grep "$@" ;; insert|add) shift; cmd_insert "$@" ;; edit) shift;cmd_edit "$@" ;; generate) shift;cmd_generate "$@" ;; delete|rm|remove) shift;cmd_delete "$@" ;; rename|mv) shift; cmd_copy_move "move" "$@" ;; copy|cp) shift; cmd_copy_move "copy" "$@" ;; git) shift; cmd_git "$@" ;; *) cmd_extension_or_show "$@" ;; esac # power down the OpenPGP card # g...@unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Matthias Apitz wrote: El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió: Matthias Apitz wrote: [...] Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. ... Thanks for the clarification and clear instruction. You are welcome. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! It says: purism@pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] [...] Are you sure that *that* is the list of public keys used by pass(1)? It almost certainly is not, since GPG's public key collection is meant to collect keys for a variety of uses. For example, sending encrypted emails or verifying signatures. You probably do not want your password store encrypted to everyone you correspond with! Therefore, pass(1) almost certainly has its own list of keys stored somewhere else. Your regular public key was probably copied to that list when you initialized the password store. That is the list that you need to regularly check, lest Mallory be able to sneak his key onto it. That list is *also* where you need to add your new public key in order to migrate your password store. Lastly, I know that you are using a smartcard, but you are storing long-lived (and presumably valuable) authentication tokens here. Does the card support RSA4096 or at least RSA3072? If so, I would strongly recommend migrating to longer keys, as RSA2048 is currently the shortest not probably already broken by increasing conventional computing power to throw at factoring. If I understand correctly, this is the reason that DSA is obsolete: DSA (to support smartcard implementations) specifies exactly one allowed key length: 1024 bits. While DSA uses discrete logarithms, the discrete logarithm and factoring problems have a mathematical equivalence that means a factoring algorithm can be used to derive a solution to the discrete logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer "hockeypuck" keyserver software, which led to an interesting recent thread on gnupg-devel and bunch of old keys effectively falling out of the Web of Trust. -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 27 Feb 2024 10:07, Matthias Apitz said: > I've never done anything with this and expected it also at date > 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). The pubring.kbx is used for various things. For example we also store "ephemeral keys" for X.509 (those we receive via mail) which are not used due to an incomplete chain. There is a cleanup process running every few hours to remove them. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió: > Matthias Apitz wrote: > > [...] > > Said/showed that, I can't imagine that, when I SCP the file > > .password-store/test.gpg to another mobile with another OpenPGP card, > > that this system would be able to decrypt the file and reencrypt it > > again with the new card. > > Correct. You must first copy the *new* public key to the *old* system and > re-encrypt the password store to *both* public keys on the *old* system, > then transfer the encrypted blobs to the new system. > ... Thanks for the clarification and clear instruction. > While you are here, this is a good time to remind you to regularly check the > list of public keys used with your password store. If Mallory can sneak > *his* key onto that list, he will be able to get your passwords! It says: purism@pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] What makes me wonder it the last modification date of the file: purism@pureos:~$ ls -l /home/purism/.gnupg/pubring.kbx -rw--- 1 purism purism 172324 feb 1 11:13 /home/purism/.gnupg/pubring.kbx I've never done anything with this and expected it also at date 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Matthias Apitz wrote: [...] Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. If you want to continue to use both cards, you will also need to copy the *old* public key to the *new* system and arrange for it to also encrypt the password store to *both* keys. Once that is done, you may use any method to synchronize the encrypted blobs between the systems and you will have your passwords on both systems. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! -- Jacob ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de Only for the record: Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de can't cut out the Micro-SIM size. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. I have here an example file of an entry 'test' in my .password-storage: purism@pureos:~$ pass test ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ secret purism@pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism@pureos:~$ gpg -da .password-store/test.gpg ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Some Javacards are available in at least larger SIM form factors. IIRC the NXP J3H145 was available SIM-cut from Smartcard Focus at some point, but it has been a while since I ordered one. If it's an option for you to install an OpenPGP applet such as SmartPGP (https://github.com/github-af/SmartPGP) on such card, Javacards might be an easier avenue than cutting the official card. I have a couple of NXP cards and SmartPGP appeared to work fine when I tried it, but I mostly use them with a PIV applet so not sure about the state of functionality with current (2.4-era) GnuPG versions. -Valtteri ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Am 20.02.24 um 17:20 schrieb Jakob Bohm via Gnupg-users: On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right Exactly, and there is no easy way of knowing if the cards used by floss-shop havechip parts outside the nano-sim boundary, which is smaller than the contact area on ID000 cards (seriously possible), nor if those cards are internally multi-chip constructs (rare but possible). Thats true! Point for you ;) regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right Exactly, and there is no easy way of knowing if the cards used by floss-shop havechip parts outside the nano-sim boundary, which is smaller than the contact area on ID000 cards (seriously possible), nor if those cards are internally multi-chip constructs (rare but possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right best regards Juergen [1] https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4 -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-15 18:42, Juergen BRUCKNER via Gnupg-users wrote: Hello Matthias, Am 13.02.24 um 17:32 schrieb Matthias Apitz: We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Matthias, Am 13.02.24 um 17:32 schrieb Matthias Apitz: We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. Maybe this helps regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, 13 Feb 2024 17:32, Matthias Apitz said: > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. I simply uses scissors to cut them out and those cards work. Granted I don't use the Librem regulary (if at all), but the card was not that of a problem. Well, I had planty of old cards to try ;-) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 12:47:13 +0100, Klaus Ethgen escribió: > Hi, > > Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > > Next question: Can I transfer somehow the key from one card to the > > other to use the same encrypted files foo.gpg from my password store: > > > > purism@pureos:~$ find .password-store/ -type f | wc -l > > 373 > > Well, pass has its mechanism itself. Just reinit your store with both > keys and it should reencrypt them. > > I did that in the past with subdirs (where you can have different keys). Hi Klaus, I do not fully understand the procedure. Actually the .password-store/ is encrypted with the gpg-key-A on the phone L5, number 1. When I now create on the phone number 2 with the other OpenPGP card a gpg-key-B, and transfer the .password-store/ by SCP to this phone number 2, and run there: pass init gpg-key-B How 'pass' (i.e. gnupg) can decrypt the files of the .password-store/ without having access to the OpenPGP card in phone 1 to re-encrypt them with gpg-key-B? Could you or someone please be so kind and clarify this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
> On 13 Feb 2024, at 17:32, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann > escribió: > >> On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: >>> El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via >>> Gnupg-users escribió: >>> On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > So, can I buy this card here in Europe or even in Germany? floss-shop.de >>> >>> I've contacted floss-shop.de. They can not provide (i.e. cut) the card >>> to Micro-SIM format. And I will not cut it itself because it must fit >>> exactly in the internal reader slot behint the battery, or it will not >>> come out anyore. >>> >> I do not know who you talked to but they offer their cards with a >> ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the >> corners with sandpaper. >> That is the exact size you are looking for. > > No. The card sizes are: > >Standard SIM: 15 x 25mm. >Micro SIM: 12 x 15mm. >Nano SIM: 8.8 x 12.3mm. > > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. In that case - you want this device: https://www.bol.com/nl/nl/p/mmobiel-universele-3-in-1-standaard-micro-sim-cutter-nano-sim-kaart-knipper-inclusief-3-sim-adapters-1-sim-pin/920067066058/ https://www.amazon.com/2024-Card-Cutter-Standard-Micro/dp/B0CJGVX82H And you do not need to cut 'that' accurate at all (in fact - cutting it with a scalpel or simply use sharp scirros an take care not to bend the chip bit - is very doable). Dw. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribió: > On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > > > > floss-shop.de > > > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > > > I do not know who you talked to but they offer their cards with a > ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the > corners with sandpaper. > That is the exact size you are looking for. No. The card sizes are: Standard SIM: 15 x 25mm. Micro SIM: 12 x 15mm. Nano SIM: 8.8 x 12.3mm. We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > Gnupg-users escribió: > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > So, can I buy this card here in Europe or even in Germany? > > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > to Micro-SIM format. And I will not cut it itself because it must fit > exactly in the internal reader slot behint the battery, or it will not > come out anyore. > I do not know who you talked to but they offer their cards with a ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the corners with sandpaper. That is the exact size you are looking for. You also could buy a nitrokey starter. this is basically a smartcard reader with a smartcard in a clam shell. You can just pry the shell open and take the smartcard out. Their other keys are tamper proofed (embedded in resin). =H -- Henning Follmann | hfollm...@itcfollmann.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 03:40:12p. m. +0100, Jakob Bohm via Gnupg-users escribió: > On 2024-02-13 14:32, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > Because the GPG specific code installed on the card is FLOSS, you might be > able to > buy blank cards in the desired form factor and install the code yourself, > provided > the parts (code and card) can be legally transported to Cuba despite US > sanctions. > In particular, the Card Operating System or runtime may be of US origin and > thus > subject to sanctions. I live in Europa and travel often to Cuba. Where could I get a blank card MicroSIM, the code and a manual how to flash it into the card? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-13 14:32, Matthias Apitz wrote: El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: On Fri, 9 Feb 2024 15:36, Matthias Apitz said: So, can I buy this card here in Europe or even in Germany? floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. Because the GPG specific code installed on the card is FLOSS, you might be able to buy blank cards in the desired form factor and install the code yourself, provided the parts (code and card) can be legally transported to Cuba despite US sanctions. In particular, the Card Operating System or runtime may be of US origin and thus subject to sanctions. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. The files of the password store are very small, normal two lines like secret Username: g...@unixarea.de Is this code already available for testing? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hi, Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > Next question: Can I transfer somehow the key from one card to the > other to use the same encrypted files foo.gpg from my password store: > > purism@pureos:~$ find .password-store/ -type f | wc -l > 373 Well, pass has its mechanism itself. Just reinit your store with both keys and it should reencrypt them. I did that in the past with subdirs (where you can have different keys). Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > So, can I buy this card here in Europe or even in Germany? floss-shop.de > If not, I could with a script decrypt all the files in this tree and > encrypt them again after setup the card. But, it would be better just > copy the files over by SCP, also when passwords get added or updated. Actually we have an open task for re-encryption: https://dev.gnupg.org/T1825 For small messages this is easy but there is no easy solution for large data. A detached encryption packet is a theoretical option. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
Hello Matthias, Am 09.02.24 um 15:36 schrieb Matthias Apitz: So, can I buy this card here in Europe or even in Germany? yes you can buy this Card also in Europe: https://www.floss-shop.de https://www.cryptoshop.com or you can also buy a USB/NFC-Device at Nitrokey https://nitrokey.com I hope this helps. Best regards Juergen -- /¯\ No | \ / HTML |Juergen Bruckner Xin |juergen@bruckner.email / \ Mail | smime.p7s Description: Kryptografische S/MIME-Signatur ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
On 2024-02-09 14:36, Matthias Apitz wrote: Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism@pureos:~$ find .password-store/ -type f | wc -l 373 No, the entire point of an openpgp card is that you can't copy the key material off it (otherwise it would have no advantages over a thumb drive). I always recommend that people generate their key material on a removable encrypted drive and then copy it onto the card, keeping a backup copy on the encrypted drive. Otherwise you run the risk of data loss when your card breaks or is lost. If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. It would depend on how `pass` works, whether there are any particular parameters that need to be supplied with the encryption command. Perhaps best to ask the `pass` maintainers about support for re-encryption in general - the process shouldn't depend on whether or not you're using a card. A ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Second OpenPGP-card
I do use an OpenPGP-card, bought from Purism in one of my L5 mobiles and I want to buy a second one for my other L5. I use two L5, one in Europe, the other in Cuba with a cuban SIM card. I could buy the 2nd card in Purism to, but would have to pay $65 shipping fee for the $15 card. So, can I buy this card here in Europe or even in Germany? Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism@pureos:~$ find .password-store/ -type f | wc -l 373 If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
El día martes, septiembre 26, 2023 a las 09:35:52a. m. +0900, NIIBE Yutaka escribió: > Matthias Apitz wrote: > > $ gdb /usr/local/libexec/scdaemon > > ... > > r --debug-all --verbose --verbose --server > > ... > > OK GNU Privacy Guard's Smartcard server ready > > SERIALNO > > [New LWP 101967 of process 2622] > > > > Thread 2 "pipe-connection" received signal SIGSEGV, Segmentation fault. > > Address not mapped to object. > > [Switching to LWP 101959 of process 2622] > > 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > > (gdb) bt > > #0 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #1 0x0008004314ef in ?? () from /usr/local/lib/libgpg-error.so.0 > > #2 0x0008004304e4 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #3 0x00080042fdad in ?? () from /usr/local/lib/libgpg-error.so.0 > > #4 0x00080042d5e3 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #5 0x0008004343ad in ?? () from /usr/local/lib/libgpg-error.so.0 > > #6 0x000800432bef in gpgrt_log_info () > >from /usr/local/lib/libgpg-error.so.0 > > #7 0x002436e8 in ?? () > > It looks like SEGV when debug output. Does it work when it's invoked > without --verbose? Bingo! I removed --verbose from the cmd line and from the file scdaemon.conf. A test on shell show now: /usr/local/libexec/scdaemon --debug-all --verbose --verbose --server scdaemon[2131]: reading options from '/home/guru/.gnupg-ccid/scdaemon.conf' scdaemon[2131.a884ac12000]: reading options from '[cmdline]' scdaemon[2131.a884ac12000]: enabled debug flags: mpi crypto memory cache memstat hashing ipc card cardio reader app OK GNU Privacy Guard's Smartcard server ready SERIALNO S SERIALNO D2760001240102010005532B OK And also decryption with the OpenPGP card works fine after providing the card's PIN: pass web/test1 bla foo One should file a bug PR. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
Matthias Apitz wrote: > $ gdb /usr/local/libexec/scdaemon > ... > r --debug-all --verbose --verbose --server > ... > OK GNU Privacy Guard's Smartcard server ready > SERIALNO > [New LWP 101967 of process 2622] > > Thread 2 "pipe-connection" received signal SIGSEGV, Segmentation fault. > Address not mapped to object. > [Switching to LWP 101959 of process 2622] > 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > (gdb) bt > #0 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > #1 0x0008004314ef in ?? () from /usr/local/lib/libgpg-error.so.0 > #2 0x0008004304e4 in ?? () from /usr/local/lib/libgpg-error.so.0 > #3 0x00080042fdad in ?? () from /usr/local/lib/libgpg-error.so.0 > #4 0x00080042d5e3 in ?? () from /usr/local/lib/libgpg-error.so.0 > #5 0x0008004343ad in ?? () from /usr/local/lib/libgpg-error.so.0 > #6 0x000800432bef in gpgrt_log_info () >from /usr/local/lib/libgpg-error.so.0 > #7 0x002436e8 in ?? () It looks like SEGV when debug output. Does it work when it's invoked without --verbose? -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
El día lunes, septiembre 25, 2023 a las 11:03:23a. m. +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > After an update of FreeBSD from 13-CURRENT to 14-CURRENT I can't used > > my OpenPGP card with the USB token anymore. In /var/log/messages > > it says: > [...] > > Any hints how to debug this > > You can run scdaemon as a foreground process to debug. An example > session is like: > > $ SOME_PATH_TO_scdaemon --debug-all --verbose --verbose --server > ... > SERIALNO > ... > BYE > $ > > (Here, "SERIALNO" and "BYE" is input from terminal by a user) > > Likewise, you can invoke scdaemon as a foreground process from GDB. > Then, you may locate the place where it crashes. > -- I run it in GDB as: $ gdb /usr/local/libexec/scdaemon ... r --debug-all --verbose --verbose --server ... OK GNU Privacy Guard's Smartcard server ready SERIALNO [New LWP 101967 of process 2622] Thread 2 "pipe-connection" received signal SIGSEGV, Segmentation fault. Address not mapped to object. [Switching to LWP 101959 of process 2622] 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 (gdb) bt #0 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 #1 0x0008004314ef in ?? () from /usr/local/lib/libgpg-error.so.0 #2 0x0008004304e4 in ?? () from /usr/local/lib/libgpg-error.so.0 #3 0x00080042fdad in ?? () from /usr/local/lib/libgpg-error.so.0 #4 0x00080042d5e3 in ?? () from /usr/local/lib/libgpg-error.so.0 #5 0x0008004343ad in ?? () from /usr/local/lib/libgpg-error.so.0 #6 0x000800432bef in gpgrt_log_info () from /usr/local/lib/libgpg-error.so.0 #7 0x002436e8 in ?? () ... I have to compile it by my own (and not install it as a FreeBSD pkg) and with debug symbols. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
Hello, Matthias Apitz wrote: > After an update of FreeBSD from 13-CURRENT to 14-CURRENT I can't used > my OpenPGP card with the USB token anymore. In /var/log/messages > it says: [...] > Any hints how to debug this You can run scdaemon as a foreground process to debug. An example session is like: $ SOME_PATH_TO_scdaemon --debug-all --verbose --verbose --server ... SERIALNO ... BYE $ (Here, "SERIALNO" and "BYE" is input from terminal by a user) Likewise, you can invoke scdaemon as a foreground process from GDB. Then, you may locate the place where it crashes. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
after OS update I can't use my OpenPGP card anymore
Hello, After an update of FreeBSD from 13-CURRENT to 14-CURRENT I can't used my OpenPGP card with the USB token anymore. In /var/log/messages it says: Sep 24 19:33:02 c720-1400094 kernel: ugen0.4: at usbus0 Sep 24 19:33:07 c720-1400094 kernel: pid 3886 (scdaemon), jid 0, uid 1001: exited on signal 11 and in the debug log of scdaemon I have the following lines which let me think, that the communication with the card seems to work and scdaemon pid=3886 crashes while communicating with the card Any hints how to debug this Thanks matthias 2023-09-24 19:33:07 scdaemon[3886.28ae4d612000] escuchando en el socket '/var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.scdaemon' 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] manejador del descriptor -1 iniciado 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- GETINFO socket_name 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> D /var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.scdaemon 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- OPTION event-signal=31 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- SERIALNO --all 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: apdu_open_reader: BAI=400 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: apdu_open_reader: new device=400 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: using CCID reader 0 (ID=04E6:5816:55511725600891:0) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: idVendor: 04E6 idProduct: 5816 bcdDevice: 0202 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: ChipCard Interface Descriptor: 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bLength 54 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bDescriptorType33 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bcdCCID 1.10 (Warning: Only accurate for version 1.0) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: nMaxSlotIndex 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bVoltageSupport 7 ? 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwProtocols 3 T=0 T=1 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwDefaultClock 4800 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxiumumClock 16000 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bNumClockSupported 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwDataRate 12903 bps 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxDataRate 60 bps 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bNumDataRatesSupp. 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxIFSD 252 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwSyncProtocols 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMechanical 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwFeatures 000100BA 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto configuration based on ATR (assumes auto voltage) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto voltage selection 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto clock change 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto baud rate change 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto PPS made by CCID 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: TPDU level exchange 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxCCIDMsgLen 271 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bClassGetResponseecho 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bClassEnvelope echo 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: wlcdLayout none 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bPINSupport 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bMaxCCIDBusySlots 1 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: PC_to_RDR_IccPowerOn: 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwLength ..: 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bSlot .: 0 2023-09-24 19:33:07 scdaemon[38
Re: YubiKey/OpenPGP card connection issues for non-root user
The issue persists. Sometimes the readers (just now the YubiKey) are not visible to the user. But they are always to root k. I then disabled the PC/SC daemon: [felix@felix-arch ~]$ sudo systemctl disable pcscd Removed "/etc/systemd/system/sockets.target.wants/pcscd.socket". [felix@felix-arch ~]$ sudo systemctl stop pcscd Warning: Stopping pcscd.service, but it can still be activated by: pcscd.socket Afterwards, `gpg --card-status` immediately showed the card status to the ordinary user. However, this solution is not good. As I mentioned before, I may want to use PC/SC in the future, and I may also just accidentally re-enable it. So it would be better to have a solution where the PC/SC daemon does not cause some race condition. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
On Mon, Aug 7, 2023 at 3:30 PM Werner Koch wrote: > > I also tried killing root’s gpg-agent, to avoid conflicts with that > > of the user, but that didn’t help either. > > Right a second scdaemon might have grabbed the device. If you don't > need it as root put into root's gpg-agent.conf "disable-scdaemon". > > Another option is to put > > pcsc-shared Thanks, good to know about this option. However, I hope that fixing PC/SC access has solved the issue. See my other message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
On Mon, Aug 7, 2023 at 9:00 AM NIIBE Yutaka wrote: > Please note that there may be two methods to access the device in > scdaemon: > > * in-stock CCID driver of scdaemon > * the PC/SC service > > Your output shows that you are connecting the smartcard reader through > the PC/SC service. Interesting. I assume the problem is down to a race-condition with the two competing for access. That would explain its apparent randomness. > If it's not your intention and your scdaemon has support of in-stock > CCID driver, I'd recommend not to use the PC/SC service. Perhaps, > simply uninstall pcscd. I prefer not to, because: I may install the PC/SC service again in the future and then I likely will have forgotten about our conversation here. > If you have a reason using PC/SC service (say, for example, you need > the service for other applications and other cards, as well as your > use of OpenPGP smartcard for GnuPG), please make sure that you > configure the PC/SC service correctly. Indeed it was not properly set up: [felix@felix-arch ~]$ opensc-tool -l No smart card readers found. I added a Polkit rule following the [instructions][1] for PC/SC: [root@felix-arch ~]# cat /etc/polkit-1/rules.d/01-pcscd.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "felix") { return polkit.Result.YES; } }); Now it works: [felix@felix-arch ~]$ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0Yes Yubico YubiKey CCID 00 00 I should see in the upcoming days whether that solves the issue. Thank you! [1]: https://github.com/LudovicRousseau/PCSC/blob/master/doc/README.polkit ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
On Sat, 5 Aug 2023 12:10, Felix E. Klee said: > I also tried killing root’s gpg-agent, to avoid conflicts with that of > the user, but that didn’t help either. Right a second scdaemon might have grabbed the device. If you don't need it as root put into root's gpg-agent.conf "disable-scdaemon". Another option is to put pcsc-shared into /etc/gnupg/scdaemon.conf and to install pcscd. The drawback is that there might be some hiccup with OpenPGP cards and PIN requests (because we cache the verification status in scdaemon for the sake of older OpenPGP cards) and if you change the data on a card the other scdaemon's won't see the change. We are currently considering whether to chnage scdameon to a system service or implement some kind of syncing. > Why does it work as root but not as regular user? The root's scdaemon has access to the device. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
Hello, Please note that I don't have any experience using scdaemon in a guest OS of GNU/Linux. So, my answer may be wrong/irrelevant. "Felix E. Klee" wrote: > [felix@felix-arch ~]$ sudo gpg --card-status > Reader ...: SCM Microsystems Inc. SPR 532 [CCID Interface] > (51271741200012) 00 00 Please note that there may be two methods to access the device in scdaemon: * in-stock CCID driver of scdaemon * the PC/SC service Your output shows that you are connecting the smartcard reader through the PC/SC service. If it's not your intention and your scdaemon has support of in-stock CCID driver, I'd recommend not to use the PC/SC service. Perhaps, simply uninstall pcscd. That's because it's simpler for scdaemon. It's easier to configure and debug, if your purpose is only for use of OpenPGP smartcard. If you have a reason using PC/SC service (say, for example, you need the service for other applications and other cards, as well as your use of OpenPGP smartcard for GnuPG), please make sure that you configure the PC/SC service correctly. You should test and make sure, by a normal user, if you can access your cards by the PC/SC service correctly. * * * Also, I'm afraid that you are using older GnuPG. In GnuPG 2.2, scdaemon had a feature to fallback to the PC/SC service, when access to in-stock CCID driver doesn't go well. The feature is disabled in 2.4. In GnuPG 2.4, when scdaemon has support of in-stock CCID driver, to use the PC/SC service, you need manually configure scdaemon with "disable-ccid" (no use of in-stock CCID driver). -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
On Thu, Aug 3, 2023 at 9:28 PM Michael Richardson wrote: > I think you need to make sure that it's not VMware that's failing to > plug the device through in a timely manner. I have configured the VMware guest to automatically take over these devices from the Windows 10 host: usb.autoConnect.device0 = "0x04e6:0xe003" […] usb.autoConnect.device7 = "0x1050:0x0404" > dmesg -w I just played around. After unplugging the YubiKey, I connected the SPR332: [felix@felix-arch ~]$ sudo dmesg -w […] [ 5135.728320] usb 2-1: new full-speed USB device number 6 using uhci_hcd [ 5136.137546] usb 2-1: New USB device found, idVendor=04e6, idProduct=e003, bcdDevice= 7.01 [ 5136.137551] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=5 [ 5136.137553] usb 2-1: Product: SPRx32 USB Smart Card Reader [ 5136.137554] usb 2-1: Manufacturer: SCM Microsystems Inc. [ 5136.137555] usb 2-1: SerialNumber: 51271741200012 ^C [felix@felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device [felix@felix-arch ~]$ sudo gpg --card-status Reader ...: SCM Microsystems Inc. SPR 532 [CCID Interface] (51271741200012) 00 00 Application ID ...: D276000124010303000564D5 Application type .: OpenPGP Version ..: 3.3 Manufacturer .: ZeitControl Serial number : 64D5 Name of cardholder: Felix Klee Language prefs ...: en Salutation ...: Mr. URL of public key : https://sks-keyservers.net/pks/lookup?op=get&search=0x5EF8B6017F668171259945D6BEF6EFD38FE8DCA0 Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa4096 rsa4096 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 3 3 Signature counter : 10 KDF setting ..: off Signature key : 5EF8 B601 7F66 8171 2599 45D6 BEF6 EFD3 8FE8 DCA0 created : 2016-12-17 10:49:18 Encryption key: 27BF BB40 70FC 6351 189E 79FE 04FD F78D 1679 DD94 created : 2016-12-17 10:49:18 Authentication key: [none] General key info..: pub rsa4096/BEF6EFD38FE8DCA0 2016-12-17 Felix E. Klee sec> rsa4096/BEF6EFD38FE8DCA0 created: 2016-12-17 expires: 2020-11-10 card-no: 0005 64D5 ssb> rsa4096/04FDF78D1679DD94 created: 2016-12-17 expires: 2020-11-10 card-no: 0005 64D5 [felix@felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device As you can see, I can connect to it as root but not as regular user. Sometimes connection as regular user works, sometimes not. Sometimes I just have to wait for a while, can be minutes, and then it works. I also tried killing root’s gpg-agent, to avoid conflicts with that of the user, but that didn’t help either. Furthermore, even if udev doesn’t trigger, I should have rw access to the device file (it’s an SPR332, not sure why it says SPR532): [felix@felix-arch ~]$ lsusb | grep SPR532 Bus 002 Device 006: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader [felix@felix-arch ~]$ ls -l /dev/bus/usb/002/006 crw-rw 1 root scard 189, 133 Aug 5 12:02 /dev/bus/usb/002/006 [felix@felix-arch ~]$ groups scanner saned uucp optical lp audio wheel felix scard plugdev [felix@felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device Why does it work as root but not as regular user? Any suggestion for a fix, even if crude, is welcome! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: YubiKey/OpenPGP card connection issues for non-root user
Felix E. Klee wrote: > system (running in VMware under Windows), it sometimes takes minutes to > [felix@felix-arch ~]$ ls /dev/bus/usb/002/011 /dev/bus/usb/002/011 I think you need to make sure that it's not VMware that's failing to plug the device through in a timely manner. dmesg -w Would confirm that it's getting there. You say that you can get it working as root. How does --card-status know which USB device to use? Does it perhaps scan through all devices? I wonder if it is getting stuck on some other device that it hasn't got permission? > How do I fix that? > I am happy to substitute the udev rules with a timer, or to call some > command to give permissions every time I want to use the YubiKey or the > OpenPGP card. I just would like the whole process to be more reliable. > Currently, it’s extremely frustrating. !-indeed. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
YubiKey/OpenPGP card connection issues for non-root user
Recently I set up a YubiKey 5C NFC, and when I connect it to my Linux system (running in VMware under Windows), it sometimes takes minutes to be able to use. I.e. it can take forever until I get a successful response from: gpg --card-status OTOH I can immediately get a response when I run the above command as root. Now I notice that the occasional connection issues I have with the OpenPGP card in my SCM SPR332 are similar. Furthermore, it happens that the YubiKey or the card reader suddenly disappear for the ordinary user, although that is rare. I have set up udev rules for both. But it seems that sometimes they don't trigger, or only with a long delay. [felix@felix-arch ~]$ cd /etc/udev/rules.d/ [felix@felix-arch rules.d]$ cat 70-yubikey.rules # YubiKey Support # ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0404", MODE="660", GROUP="scard" [felix@felix-arch rules.d]$ cat 71-gnupg-ccid.rules # GPG SmartCard Reader Support # ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="04e6", ENV{ID_MODEL_ID}=="e003", MODE="660", GROUP="scard" Even without udev rules, I think I should have access to the devices, because I'm in group `scard`: [felix@felix-arch ~]$ ls /dev/bus/usb/002/011 /dev/bus/usb/002/011 [felix@felix-arch ~]$ ls -l /dev/bus/usb/002/011 crw-rw 1 root scard 189, 138 Aug 3 14:56 /dev/bus/usb/002/011 [felix@felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device [felix@felix-arch ~]$ groups scanner saned uucp optical lp audio wheel felix scard plugdev [felix@felix-arch ~]$ lsusb Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 004: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 003 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 003 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 002: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 002 Device 011: ID 1050:0404 Yubico.com Yubikey 4/5 CCID Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub How do I fix that? I am happy to substitute the udev rules with a timer, or to call some command to give permissions every time I want to use the YubiKey or the OpenPGP card. I just would like the whole process to be more reliable. Currently, it’s extremely frustrating. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card with 25519 key breaks SSH sntrup761x25519-sha...@openssh.com
Never mind -- I realized this was a duplicate of this bug report: https://dev.gnupg.org/T5935 I will try to work on getting a newer GnuPG into Guix as a solution. /Simon signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card with 25519 key breaks SSH sntrup761x25519-sha...@openssh.com
Hi. When I SSH with gpg-agent's ssh-agent emulation, this happens: jas@kaka ~$ ssh root@192.168.10.186 sign_and_send_pubkey: signing failed for ED25519 "cardno:FFFE 42315277" from agent: agent refused operation root@192.168.10.186: Permission denied (publickey). jas@kaka ~$ Tracking it down, it only occurs when both of these holds: 1) Modern enough SSH versions that prefers sntrup761x25519-sha...@openssh.com over curve25519-sha256. To force it: ssh -oKexAlgorithms=sntrup761x25519-sha...@openssh.com root@192.168.10.186 2) The 25519 key is on an OpenPGP card. I verified that 'ssh-keygen -t ed25519' and using that key works successfully with sntrup761x25519-sha512, so the problem is likely not within the OpenSSH server or client. I have verified the problem with two different OpenPGP cards, Gnuk1.2.20@FST01SZ and YubiKey, so it is likely not a card problem. Isn't this supposed to work? The workaround is to use the old default of curve25519-sha256: jas@kaka ~$ ssh -oKexAlgorithms=curve25519-sha256 root@192.168.10.186 Then it works. I enable debugging and restarting scdaemon as follows: jas@kaka ~$ cat>.gnupg/scdaemon.conf debug-all log-file /tmp/scd.log jas@kaka ~$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye OK ERR 67125247 Slut på fil jas@kaka ~$ The relevant output from a failing SSH command: DBG: chan_7 <- SERIALNO DBG: chan_7 -> S SERIALNO D276000124010200FFFE42315277 DBG: chan_7 -> OK DBG: chan_7 <- GETINFO card_list DBG: chan_7 -> S SERIALNO D276000124010200FFFE42315277 DBG: chan_7 -> OK DBG: chan_7 <- SERIALNO --demand=D276000124010200FFFE42315277 DBG: chan_7 -> S SERIALNO D276000124010200FFFE42315277 DBG: chan_7 -> OK DBG: chan_7 <- GETATTR $AUTHKEYID DBG: chan_7 -> S $AUTHKEYID OPENPGP.3 DBG: chan_7 -> OK DBG: chan_7 <- GETATTR SERIALNO DBG: chan_7 -> S SERIALNO D276000124010200FFFE42315277 DBG: chan_7 -> OK DBG: chan_7 <- READKEY OPENPGP.3 DBG: chan_7 -> [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(85 byte(s) skipped) ] DBG: chan_7 -> OK DBG: chan_7 <- GETATTR $DISPSERIALNO DBG: chan_7 -> S $DISPSERIALNO FFFE+42315277 DBG: chan_7 -> OK DBG: chan_7 <- SERIALNO --demand=D276000124010200FFFE42315277 DBG: chan_7 -> S SERIALNO D276000124010200FFFE42315277 DBG: chan_7 -> OK DBG: chan_7 <- SETDATA 3021300906052B0E03021A050004140040FAE895F31F2660B12248ED8BBF26A300125BABD0322CDDF09E9C15D963528F3EE5C65FED25D5F4A06A00C870ECA356EFAC01EC6AF60908B7F792C0B52571FB10320004726F6F74000E7373682D636F6E6E656374696F6E00237075626C69636B65792D686F7374626F756E642D763030406F70656E7373682E636F6D01000B7373682D656432353531390033000B7373682D656432353531390020BCC215C1C7ACACD548F0C36AB64F62A9FCF47E533DAC7070E460460FB80DA8040033000B7373682D6564323535313900209E01C3E55A1A346ED50BA91A9AE6752CED4ACC5B747450EC58B33E558718BC44 DBG: chan_7 -> OK DBG: chan_7 <- PKAUTH 24C58979C8A14326ECBA27CE64C86D0D563D DBG: send apdu: c=00 i=88 p1=00 p2=00 lc=260 le=256 em=0 operation auth result: Invalid value app_auth failed: Invalid value DBG: chan_7 -> ERR 100663351 Invalid value DBG: chan_7 <- RESTART DBG: chan_7 -> OK Releant part when I use -oKexAlgorithms=curve25519-sha256 for a successfull SSH command: 2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 <- SETDATA 3021300906052B0E03021A0500041400201B17C1E7A476E697A846BFEC82D58277CE29BE5D5E4729707B50817AB58DAEAA320004726F6F74000E7373682D636F6E6E656374696F6E00237075626C69636B65792D686F7374626F756E642D763030406F70656E7373682E636F6D01000B7373682D656432353531390033000B7373682D656432353531390020BCC215C1C7ACACD548F0C36AB64F62A9FCF47E533DAC7070E460460FB80DA8040033000B7373682D6564323535313900209E01C3E55A1A346ED50BA91A9AE6752CED4ACC5B747450EC58B33E558718BC44 2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 -> OK 2022-12-30 14:55:37 scdaemon[8885] DBG: chan_7 <- PKAUTH 24C58979C8A14326ECBA27CE64C86D0D563D 2022-12-30 14:55:37 scdaemon[8885] DBG: send apdu: c=00 i=88 p1=00 p2=00 lc=228 le=256 em=0 2022-12-30 14:55:37 scdaemon[8885] DBG: PCSC_data: 00 88 00 00 E4 00 00 00 20 1B 17 C1 E7 A4 76 E6 97 A8 46 BF EC 82 D5 82 77 CE 29 BE 5D 5E 47 29 70 7B 50 81 7A B5 8D AE AA 32 00 00 00 04 72 6F 6F 74 00 00 00 0E 73 73 68 2D 63 6F 6E 6E 65 63 74 69 6F 6E 00 00 00 23 70 75 62 6C 69 63 6B 65 79 2D 68 6F 73 74 62 6F 75 6E 64 2D 76 30 30 40 6F 70 65 6E 73 73 68 2E 63 6F 6D 01 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 33 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 20 BC C2 15 C1 C7 AC AC D5 48 F0 C3 6A B6 4F 62 A9 FC F4 7E 53 3D AC 70 70 E4 60 46 0F B8 0D A8 04 00 00 00 33 00 00 00 0B 73 73 68 2D 65 64 32 35 35 31 39 00 00 00 20 9E 01 C3 E5 5A 1A 34 6E D5 0B A9 1A 9A E6 75 2C ED 4A CC 5B 74 74 50 EC 58 B3 3E 55 87 18 BC 44 00 2022-12-30 14:55:37 scdaemon[8885] DBG: response:
Re: using OpenPGP card to unlock a LUKS device on boot
Am 06.04.22 um 18:15 schrieb Robert J. Hansen via Gnupg-users: >> You're barking up the wrong tree: It wasn't me who brought politics to >> this list. > > You're the one who is turning a single throwaway line in someone's > signature block into an angry argument. No. But you're the one who obviously _must_ have the last word. > >> Nonsense. The OP issued a statement, I replied and that could have been >> it. It is you who is obviously thriving on extending this discussion. > > It "could have been it", I am certain, if he had apologized, removed the > line from his signature block, and stopped. Had he done otherwise we'd > be right where we are now. Assumptions are the mother of all disasters. > > Regardless: I think I've made my position clear. He is under no > obligation to remove a line from his signature block that you object to > on purely political grounds. Let's drop this subject and return to > talking about GnuPG. Amen! Rainer ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
You're barking up the wrong tree: It wasn't me who brought politics to this list. You're the one who is turning a single throwaway line in someone's signature block into an angry argument. Nonsense. The OP issued a statement, I replied and that could have been it. It is you who is obviously thriving on extending this discussion. It "could have been it", I am certain, if he had apologized, removed the line from his signature block, and stopped. Had he done otherwise we'd be right where we are now. Regardless: I think I've made my position clear. He is under no obligation to remove a line from his signature block that you object to on purely political grounds. Let's drop this subject and return to talking about GnuPG. OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
Am 06.04.22 um 17:04 schrieb Robert J. Hansen via Gnupg-users: >> Just as I am free to comment on a political statement that I find >> provocative, blatantly wrong and in the context of current events almost >> derisive. > > Excepting that this is not a mailing list for politics. You're barking up the wrong tree: It wasn't me who brought politics to this list. > > Matthias has a line in his signature that you object to. I object to > it, too, but the only thing we need to do is nothing. Perhaps you'd There are times when "doing nothing" isn't an option any longer. It may have escaped you but there is a war raging in Europe. > like to place your own line in your own signature file making your > pro-NATO feelings clear? Either way, bringing it to the forefront of > discussion is incredibly off-topic. Nonsense. The OP issued a statement, I replied and that could have been it. It is you who is obviously thriving on extending this discussion. > > We'd like to keep this mailing list on-topic. Thanks for > understanding. :) Then heed your own advice and simply keep your wisdoms to yourself. Rainer ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
Just as I am free to comment on a political statement that I find provocative, blatantly wrong and in the context of current events almost derisive. Excepting that this is not a mailing list for politics. Matthias has a line in his signature that you object to. I object to it, too, but the only thing we need to do is nothing. Perhaps you'd like to place your own line in your own signature file making your pro-NATO feelings clear? Either way, bringing it to the forefront of discussion is incredibly off-topic. We'd like to keep this mailing list on-topic. Thanks for understanding. :) OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
Am 06.04.22 um 16:06 schrieb Robert J. Hansen via Gnupg-users: >> Given recent events: can't you spare us your stupid signature? > > Matthias should be, and is, free to advocate for his beliefs in his > signature. Just as I am free to comment on a political statement that I find provocative, blatantly wrong and in the context of current events almost derisive. > > If we don't stand up for people's right to peacefully say things we > don't like, we have failed as a community. Then stand up for *my* right to peacefully say things as well. Or perhaps just mind your own business. > > I say this as an American who's a fanatical supporter of NATO. Leave > the guy alone, and let's get back to discussions about GnuPG. Thanks. :) American or whatever: fanatics are always suspicious to me. Apart from that: What I do or say is not yours to decide. And I don't need your advice in this matter. And the OP is probably able to speak for himself. The signature is a provocative political statement and it therefore has to be expected and is probably even intended that people react to it. And so I did. That's all. Like it or not. Rainer ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
Given recent events: can't you spare us your stupid signature? Matthias should be, and is, free to advocate for his beliefs in his signature. If we don't stand up for people's right to peacefully say things we don't like, we have failed as a community. I say this as an American who's a fanatical supporter of NATO. Leave the guy alone, and let's get back to discussions about GnuPG. Thanks. :) OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
Am 05.04.22 um 16:57 schrieb Matthias Apitz: > > Hello, > > Can someone please comment in the forum or here (and I copy it over) how > an OpenPGP card could be used to unlock a ciphered LUKS partition during > boot of the L5 mobile device, see this posting at the end: > > https://forums.puri.sm/t/librem-5-unlock-luks-volume-with-a-fido2-device/16890/7 > > Werner, what about your L5? > > Thanks > > matthias > Given recent events: can't you spare us your stupid signature? Or replace "instead" by "through"? Even for die-hard ideologists it's about time to adapt to reality. Rainer ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using OpenPGP card to unlock a LUKS device on boot
On Tue, 5 Apr 2022 16:57, Matthias Apitz said: > an OpenPGP card could be used to unlock a ciphered LUKS partition during > boot of the L5 mobile device, see this posting at the end: No idea, I don't use LUKS but g13 ;-) > Werner, what about your L5? It is gathering dust in one of my drawers - frankly no time to to play with it. A colleague of mine used it for some time in the home office but then switched back to an old Fairphone. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
using OpenPGP card to unlock a LUKS device on boot
Hello, Can someone please comment in the forum or here (and I copy it over) how an OpenPGP card could be used to unlock a ciphered LUKS partition during boot of the L5 mobile device, see this posting at the end: https://forums.puri.sm/t/librem-5-unlock-luks-volume-with-a-fido2-device/16890/7 Werner, what about your L5? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! Мир вместо НАТО! Frieden statt NATO! ¡Paz en vez de OTAN! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día lunes, noviembre 08, 2021 a las 11:18:37a. m. +0100, Matthias Apitz escribió: > > You did the > > > > gpg-connect-agent updatestartuptty /bye > > > > thing to tell gpg-agent where it shall pop up the pinentry? Further > > ... > > Thanks for the hints. Magically it works now by its own after adding > this to the ~purism/.bashrc (the terminal app does not source .profile). > > In a SSH session a 'pass test' asks now inline for the PIN and in the > terminal app some Gnome window pops up. Re/ pinentry there is even more inteligent "magic": The available pinentry pgms are: purism@pureos:~$ which pinentry /usr/bin/pinentry purism@pureos:~$ ls -l /usr/bin/pinentry lrwxrwxrwx 1 root root 26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry purism@pureos:~$ ls -l /etc/alternatives/pinentry lrwxrwxrwx 1 root root 24 Sep 11 08:25 /etc/alternatives/pinentry -> /usr/bin/pinentry-gnome3 purism@pureos:~$ ls -l /usr/bin/pinentr* lrwxrwxrwx 1 root root26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry -rwxr-xr-x 1 root root 59848 May 8 2020 /usr/bin/pinentry-curses -rwxr-xr-x 1 root root 72136 May 8 2020 /usr/bin/pinentry-gnome3 lrwxrwxrwx 1 root root30 Sep 11 08:25 /usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11 And when the PIN is needed in a SSH session, then the PIN is asked in the SSH session with: ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ *when* the L5 is locked, when the L5 is not locked the PIN is asked on its screen with the /usr/bin/pinentry-gnome3. Nice! matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día domingo, noviembre 07, 2021 a las 02:14:59p. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 5 Nov 2021 17:30, Matthias Apitz said: > > > But, it does not work locally on the L5 in its "terminal app", the > > "pass" command in the terminal raises an error about no secret provided. > > You did the > > gpg-connect-agent updatestartuptty /bye > > thing to tell gpg-agent where it shall pop up the pinentry? Further > ... Thanks for the hints. Magically it works now by its own after adding this to the ~purism/.bashrc (the terminal app does not source .profile). In a SSH session a 'pass test' asks now inline for the PIN and in the terminal app some Gnome window pops up. See also: https://forums.puri.sm/t/terminal-app-purism-profile/15325 Maybe you want subscribe to this forum (if not already done). It's a pity that Purism uses a "forum" and not a standard mailing-list :-( matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Fri, 5 Nov 2021 17:30, Matthias Apitz said: > But, it does not work locally on the L5 in its "terminal app", the > "pass" command in the terminal raises an error about no secret provided. You did the gpg-connect-agent updatestartuptty /bye thing to tell gpg-agent where it shall pop up the pinentry? Further you can debug thing with adding "-v" to the gpg invocation or by letting gpg-agent create a debug file: --8<---cut here---start->8--- log-file /foo/bar/gpg-agent.log verbose debug ipc debug-pinentry --8<---cut here---end--->8--- Or use log-file tcp://1.2.3.4:40711 and run "watchgnupg --tcp 40711" on the host with IP 1.2.3.4. Not TLS, so take care. But it is convenient to see what's going on. Thanks for your other mail on thenneed to flush the firmware for the BT device. I have not yet found the time to do that, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
Werner, I have an issue with the 'pinentry' in the L5: /usr/bin/pinentry is as default a symlink to /etc/alternatives/pinentry and pops up on the L5 as somekind graphical application, also when I use the OpenPGP card in the L5 when connected via SSH to the L5, which is not what I wanted have to key in the PIN in the L5 when im using it via SSH (and the L5 sits in some other room). That's why I changed the symlink to point to /usr/bin/pinentry-curses which works fine via SSH, i.e. the PIN is asked in the terminal where I run the SSH session. But, it does not work locally on the L5 in its "terminal app", the "pass" command in the terminal raises an error about no secret provided. The "pass" command is just a shell script and uses "gpg" to decrypt the file containing the requested password for some web access, running so,ething like: $GPG -d "${GPG_OPTS[@]}" "$passfile" What could be the reason for this? I tried /usr/bin/pinentry-curses in the "terminal app" which does work. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día viernes, noviembre 05, 2021 a las 08:32:17a. m. +0100, Werner Koch via Gnupg-users escribió: > it is good that things work for you. And thanks for the hint with the > smartcard. I was probably blind that I didn't noticed it. I put an > older card into the slot (cut down with a sharp wire cutter) but I have > not seen the device. Hello Werner, To get the OpenPGP card working, please follow the steps in my attachment OpenPGP-L5.txt. You must flash some firmware into the device. > Even after an OS update there is still no Bluetooth device (regardless > of the kill switch position) and the WLAN sometimes needs a reboot. I > also wonder why there are no easy accessible teardown images - the long > Youtube video is not very helpful because it shows obvious things, To solve the Bluetooth / WLAN problems, follow the steps here how to load again some other firmware. Esp. change also after this in the file /etc/modprobe.d/librem5-devkit.conf the value dev_oper_mode from 5 to 13 https://forums.puri.sm/t/bluetooth-support-for-librem-5/14965/45 Hope it helps matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... How to setup the OpenPGP card in the Purism L5 phone g...@unixarea.de, October 2021 https://puri.sm/posts/openpgp-in-your-pocket/ (includes video about inserting the card) https://source.puri.sm/angus.ainslie/ttxs-firmware/-/blob/purism/PURISM.md install and get the software: $ cd ~/guru $ sudo apt install stm32flash git $ git clone https://source.puri.sm/angus.ainslie/ttxs-firmware $ cd ttxs-firmware Upgrade the smart card reader firmware: $ ./scripts/stm_reflash.sh ... stm32flash 0.5 http://stm32flash.sourceforge.net/ Using Parser : Raw BINARY Interface serial_posix: 57600 8E1 Version : 0x31 Option 1 : 0x00 Option 2 : 0x00 Device ID: 0x0435 (STM32L43xxx/44xxx) - RAM: Up to 48KiB (12544b reserved by bootloader) - Flash : Up to 256KiB (size first sector: 1x2048) - Option RAM : 16b - System RAM : 28KiB Write to memory Erasing memory Wrote address 0x08002388 (100.00%) Done. And set up the smart card: $ ./scripts/smartcard_setup.sh There have been issues, see also: https://forums.puri.sm/t/openpgp-card-waiting-for-the-first-reader/15189 https://source.puri.sm/Librem5/OS-issues/-/issues/119 What helped was: # stty -F /dev/ttymxc2 raw cstopb -parenb cs8 115200 # pcscd -f --debug The startup of pcscd is to be configured here and start is via systemctl: # vim /lib/systemd/system/pcscd.service # systemctl status pcscd # systemctl stop pcscd # systemctl start pcscd Setting up the card $ gpg --card-status Reader ...: TTXS serial 00 00 Application ID ...: D2760001240103040005A6FE Application type .: OpenPGP Version ..: 3.4 Manufacturer .: ZeitControl Serial number : A6FE Name of cardholder: [not set] Language prefs ...: de Salutation ...: URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ..: off Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] $ gpg --change-pin # changed the PIN and Admin PIN $ gpg --card-edit # generated the keys $ export GNUPGHOME=/home/guru/.gnupg $ pass init 'CCID L5' Password store initialized for g...@unixarea.de $ pass insert -m test ... $ gpg --with-keygrip -K /home/purism/.gnupg/pubring.kbx --- sec> rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6AD01D6529B7423F3608141 Keygrip = FCBA9E53DF1AF8D6E8D82B0418A01FA33264F704 Card serial no. = 0005 A6FE uid [ultimate] Matthias Apitz (GnuPG CCID L5) ssb> rsa2048 2021-10-30 [A] Keygrip = EE34E2B1F932D1567A6E21023F4D65B71CF953FF ssb> rsa2048 2021-10-30 [E] Keygrip = C544F16750F7F55DCEF781CF57C232015DDF1F90 the '>' means that these keys are on the card; export the pub key with: $ gpg --export --armor > ccid-L5-export-key-guru.pub lock the card again: $ gpgconf --reload scdaemon I added this to the pass cmd: $ tail -8 /usr/bin/pass # power down the OpenPGP card # g...@unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 so the card gets loecked again after each operation with the pass cmd. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
Hi Matthias, On Thu, 4 Nov 2021 09:40, Matthias Apitz said: > I got mine in early October after exactly 4 years waiting. I do not Same here. I actually met with Todd back then and my colleague Gniibe write the driver for their planned card reader. Then we had that long delay. it is good that things work for you. And thanks for the hint with the smartcard. I was probably blind that I didn't noticed it. I put an older card into the slot (cut down with a sharp wire cutter) but I have not seen the device. Even after an OS update there is still no Bluetooth device (regardless of the kill switch position) and the WLAN sometimes needs a reboot. I also wonder why there are no easy accessible teardown images - the long Youtube video is not very helpful because it shows obvious things, > I have and have had some Linux mobiles, also the OpenMoko. The > Purism L5 is the most usefull until now for me. You see, I really don't As long as you do not count the Jollas in. Purism's decision to write yet another software stack is highly questionable. IMHO they should have used the free stuff from SFOS and replace the proprietary UI using Qt instead of GTK+. That would have solved the battery problems instantly, Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 09:45:57a. m. +, Andrew Gallagher via Gnupg-users escribió: > On 04/11/2021 08:40, Matthias Apitz wrote: > > I bought the OpenPGP card from > > Purism for USD 15, I don't know if the small format exist here in > > Germany. > > Not Germany, but Cryptoshop in Vienna sells them: > > https://en.cryptoshop.com/products/smartcards/open-pgp-smartcard-v2-id-000.html > I have the above card for some years in an USB dongle. But the one which fits in the L5 is smaller: https://shop.puri.sm/shop/purism-openpgp-card/ matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On 04/11/2021 08:40, Matthias Apitz wrote: I bought the OpenPGP card from Purism for USD 15, I don't know if the small format exist here in Germany. Not Germany, but Cryptoshop in Vienna sells them: https://en.cryptoshop.com/products/smartcards/open-pgp-smartcard-v2-id-000.html -- Andrew Gallagher OpenPGP_signature Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 09:40:40a. m. +0100, Matthias Apitz escribió: > ... > > I have and have had some Linux mobiles, also the OpenMoko. The > Purism L5 is the most usefull until now for me. You see, I really don't > share your opinion. The biggest problem until now is the duration of the > battery of 8-10 hours, because the phone until now dows not suspend to > RAM. They're working on it... > I forgot to add a joke. The L5 has 3 hardware kill switches, real kill switches, i.e. the power down is not done by software but by cutting the electrical power line of the respective chips: 1) the modem or 2) Wifi+Bluetooth or 3) cam+micro. When I did the first test voice calls to my family at home, nobody could hear me. Guess why :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 08:31:08a. m. +0100, Werner Koch via Gnupg-users escribió: > On Wed, 3 Nov 2021 18:55, Matthias Apitz said: > > > card, and available without any laptop or USB dongel, just in my phone -- a > > big progress. Thanks to Purism to bring this with the L5 to the Linux > > world! > > You mean the Librem5 has indeed a second slot for a smartcard? I > recently received mine but it is more or less unusable to me. It even > comes w/o a bluetooth device - at least according to the warning notice > I see - for things I can see because the network setting are not fully > accessible. It is more or less a brick; the OpenMoko used to be better. Hello Werner, I got mine in early October after exactly 4 years waiting. I do not share your opinions about the L5. I moved my 100++ contacts from the Ubuntu phone E4.5 to the L5 (which was a matter of seconds, export to VCF, SCP over and load; both use the same evolution database for storing them). I bought a SIM, have Internet via G4 on the road, or Wifi. Both do fine, Wifi with any access point until now. I can attach a Bluetooth keyboard with an integrated touchpad. Both work fine, see this foto: http://www.unixarea.de/l5-with-bt-keyboard.jpg The slot for the mini OpenPGP card in behind the battery, just pull the battery out and you will see. I bought the OpenPGP card from Purism for USD 15, I don't know if the small format exist here in Germany. Here you have a small video showing the card insert etc.: https://puri.sm/posts/openpgp-in-your-pocket/ And, I hacked together a Spanish OSK for the terminal app, because I write a lot in Spanish with a command line telegram client. I have and have had some Linux mobiles, also the OpenMoko. The Purism L5 is the most usefull until now for me. You see, I really don't share your opinion. The biggest problem until now is the duration of the battery of 8-10 hours, because the phone until now dows not suspend to RAM. They're working on it... matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Wed, 3 Nov 2021 18:55, Matthias Apitz said: > card, and available without any laptop or USB dongel, just in my phone -- a > big progress. Thanks to Purism to bring this with the L5 to the Linux world! You mean the Librem5 has indeed a second slot for a smartcard? I recently received mine but it is more or less unusable to me. It even comes w/o a bluetooth device - at least according to the warning notice I see - for things I can see because the network setting are not fully accessible. It is more or less a brick; the OpenMoko used to be better. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día martes, noviembre 02, 2021 a las 06:34:16p. m. +0100, Werner Koch via Gnupg-users escribió: > On Sat, 30 Oct 2021 15:50, Matthias Apitz said: > > > I just withdraw the USB dongle after the operation. I was thinking that > > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked > > state of the OpenPGP card, which it does not. How could I do this? > > No, it does not because it is the decision of the card how long the > VERIFY command send to the card allows the use of the key. For most > cards and keys the keys are unlocked by VERIFY until the card is powered > down. The OpenPGP cards allow to limit the VERIFY command for the first > key to one signing operation ("forcesig" toggles this). > > As a workaround use "gpgconf --reload scdaemon" to power down the card. > Thanks. As I will use the card in the phone mostly (only) with the pass command, i've added this to the script to get the card locked after any usage with pass: purism@pureos:~$ tail -8 /usr/bin/pass # power down the OpenPGP card # g...@unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 I have now my ~330 passwords always with me, encrypted with an OpenPGP card, and available without any laptop or USB dongel, just in my phone -- a big progress. Thanks to Purism to bring this with the L5 to the Linux world! matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
On Sat, 30 Oct 2021 15:50, Matthias Apitz said: > I just withdraw the USB dongle after the operation. I was thinking that > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked > state of the OpenPGP card, which it does not. How could I do this? No, it does not because it is the decision of the card how long the VERIFY command send to the card allows the use of the key. For most cards and keys the keys are unlocked by VERIFY until the card is powered down. The OpenPGP cards allow to limit the VERIFY command for the first key to one signing operation ("forcesig" toggles this). As a workaround use "gpgconf --reload scdaemon" to power down the card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card and gpg-agent TTL
Hello, I'm using GnuPG together with an OpenPGP card. When I want to decrypt something the gpg-agent is via pinentry asking for the PIN to unlock the card. Normally I don't care about how long the card remains unlocked, because I just withdraw the USB dongle after the operation. I was thinking that the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked state of the OpenPGP card, which it does not. How could I do this? Because in the Purism L5 mobile the OpenPGP card is internally inserted behind the battery and so I can't remove it that easy :-) Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: reader with 2 USB connectors
Hello, I'm using an OpenPGP card in my FreeBSD laptop and my Ubuntu mobile phone (see photo http://www.unixarea.de/UbuntuPhone-GnuPG-card2.jpg ) The read is an Identiv uTrust 3512 SAM slot Token which works just fine (after solving an issue in the FreeBSD USB driver). To connect it to the mobile device one needs an small adapter or a cable. See the photo. All this is not very stable, esp. the connector in the mobile device. Are there any readers with two USB connectors like some USB memory sticks have? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió: > Hello Matthias. > > Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz: > > Hello, > > > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of > > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work > > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card > > Reader) after withdraw and re-insert. It works fine after boot, I > > have to enter the PIN to unlock the card and all tested functions are > > working. > > Did you check the config for pcscd? Probably it was overwrittenby the > update process. To close this thread: It turned out being an issue in the USB chips in my laptop which was not correctly handeled by the USB driver in the kernel. It is fixed since yesterday with this commit: https://svnweb.freebsd.org/changeset/base/342778 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día miércoles, enero 02, 2019 a las 11:36:54a. m. +0100, Werner Koch escribió: > On Tue, 1 Jan 2019 08:36, g...@unixarea.de said: > > > with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after > > Take care: Usual Omnikey problems with creating and using large keys > apply. Thanks. But I'm using this card and reader for a long time. And the same problem is with the uTrust reader. > > How can I meanwhile 'reset' the OpenPGP card so that on next request for > > the secrets (decrypt, signing, ssh) the PIN is requested? > > gpgconf --reload scdaemon > > is the easiest way. You can also use --kill as it is the same for > scdaemon. THANKS!!! This works and I now at least can disable the card when I go a way from the laptop. BTW: The CCID and the readers have no manuals how, i.e. in which directions, one has to insert the CCID. Yesterday I took pictures to have this clear now :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
Hi, On 01.01.19 08:36, Matthias Apitz wrote: > How can I meanwhile 'reset' the OpenPGP card so that on next request for > the secrets (decrypt, signing, ssh) the PIN is requested? for key slots 1 and 2 there probably is no way to do this other than unplugging und replugging the device. See also the discussion here [1]. Kind regards Alex ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
On Tue, 1 Jan 2019 08:36, g...@unixarea.de said: > with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after Take care: Usual Omnikey problems with creating and using large keys apply. > How can I meanwhile 'reset' the OpenPGP card so that on next request for > the secrets (decrypt, signing, ssh) the PIN is requested? gpgconf --reload scdaemon is the easiest way. You can also use --kill as it is the same for scdaemon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. gpg-connect-agegpg-connect-agen pgpwEE8vL8OlQ.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users